D-WARD:

DDoS Network Attack Recognition
and Defense

Today's routers offer a best-effort service: they forward all traffic toward
destinations, attempting to deliver fast and fair service to all flows.
Policing, reliability, and rate-control mechanisms are therefore left to
be deployed by higher layers at end hosts. This feature has been misused
in distributed denial-of-service attacks, where many compromised hosts
simultaneously generate excessive traffic to a victim. The number of received
packets overwhelms the target, consuming its resources and rendering its
services unavailable. Many attempts have been made to design systems that
help identify attacking machines and stop malicious flows. Most of these
systems are located on the target side (either at the victim host or somewhere
in the target network), which facilitates easy detection of the problem
and possible characterization of the attack signature. However, they are
ineffective in stopping the attack because they require the cooperation
of upstream routers to push back the attacking flows. Other proposed
systems are located in the network between the attacking machines and the
victim. These identify and throttle attacking flows, autonomously or acting
on a signal from the victim. They require significant changes in core routers
and still do not prevent malicious flows from using network resources.

We propose a system that is located at the source network router (either
LAN or border router) that autonomously detects and suppresses DDoS flows
originating at this network. This system observes the outgoing and incoming
traffic and gathers lightweight statistics on the flows, classified by
destination. These statistics, along with built-in traffic models, define
legitimate traffic patterns. Any discrepancy between observed traffic and
a legitimate traffic pattern for a given destination is considered to be
the signal of a potential DDoS attack. The source router then decides to
throttle all traffic to the suspected target of the attack and at the same
time attempts to separate attacking flows from legitimate flows and identify
the attacking machines. This approach has the benefit of preventing malicious
flows from entering the network and consuming resources. As the part of
our future work, we will investigate the possibility of also deploying
this system on the core routers.

D-WARD is funded under DARPA contract N66001-01-1-8937. Thanks to a funds and equipment grant from the
Intel Corporation we have an opportunity to use
Intel's IXP equipment to combat DDoS attacks in routers close to attack sources.